Forum Discussion
Vulnerabilities Introduced in CNAB after using cpa buildbundle
Hi, this is my first post here. I am following the instructions in the article Prepare your Azure container technical assets for a Kubernetes application - Marketplace publisher |...
I used the command cpa buildbundle to build and upload the CNAB to my Azure Container Registry (ACR), but the Defender scan shows vulnerabilities in the CNAB bundle, even though my solution image is free of vulnerabilities. I also scanned the image with Trivy and found Critical and high vulnerabilities in Helm 3, kubectl, and the Docker Engine (Moby).
The approach mentioned in the technical asset mounts the Docker engine of the host machine to the Microsoft's image mcr.microsoft.com/container-package-app:latest. My host machine has the Community Edition of Docker Engine, yet the Moby issue persists
.
Inside the container, I tried running `tdnf clean all && tdnf update`, which updated Moby, but I was unable to update kubectl and Helm.
Should I be concerned about these vulnerabilities? I believe they may have been introduced by the CPA tool. The documentation states that for marketplace listings, the repository must be free of vulnerabilities. Additionally, it mentions in the limitations section that single containers are not supported, and my current offering contains only single image.
Any tips on how I can address this issue or any remediation steps would be greatly appreciated.
Thanks!
Asif
asif158 thanks for your question! We only scan the image inside the CNAB, and not the tool. so as long as the images are ok, it is fine.
Regarding the actual vulnerabilities - our team is looking into that right now and I will keep you updated here with any news.
- justinroyalMicrosoft
asif158 thanks for your question! We only scan the image inside the CNAB, and not the tool. so as long as the images are ok, it is fine.
Regarding the actual vulnerabilities - our team is looking into that right now and I will keep you updated here with any news.
- asif158Copper ContributorThanks for the quick reply, justinroyal.
Regarding the second part of my question, I noticed in the limitations section that single containers are not supported. My current setup uses only a single image.
Would it be better to switch to two images, or is the current implementation sufficient?
Apologies for my writing—I'm still pretty new to this.